GHSA-vh73-q3rw-qx7w

Source
https://github.com/advisories/GHSA-vh73-q3rw-qx7w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vh73-q3rw-qx7w/GHSA-vh73-q3rw-qx7w.json
Aliases
  • CVE-2024-1052
Published
2024-02-05T21:30:31Z
Modified
2024-02-05T23:28:34.939656Z
Details

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

References

Affected packages

Go / github.com/hashicorp/boundary

Affected ranges

Type
SEMVER
Events
Introduced
0.8.0
Fixed
0.15.0